On-Demand Biometrics: Fast Cross-Device Authentication

Video

Figure 1

Login with on-demand biometrics: (a) A user enters their name into the login form in the browser, (b) receives the authentication request on their phone, and (c) approves it with their fingerprint, which (d) completes the login in the browser.

Abstract

We explore the use of a new way to log into a web service, such as email or social media. Using on-demand biometrics, users sign in from a browser on a computer using just their name, which sends a request to their phone for approval. Users approve this request by authenticating on their phone using their fingerprint, which completes the login in the browser. On-demand biometrics thus replace passwords or temporary access codes found in two-step verification with the ease of use of biometrics. We present the results of an interview study on the use of on-demand biometrics with a live login backend. Participants perceived our system as convenient and fast to use and also expressed their trust in fingerprint authentication to keep their accounts safe. We motivate the design of on-demand biometrics, present an analysis of participants' use and responses around general account security and authentication, and conclude with implications for designing fast and easy cross-device authentication.

Discussion, Implications, and Conclusion

Considering the space of existing implementations of two-step verification, on-demand biometrics represent a new type of cross-device login that lies between one-time passwords sent to the phone and touchscreen controls to merely accept or decline a request without any form of authentication, both of which require extra effort.

As shown in this paper, on-demand biometrics strike a positive balance between the perceived security, convenience, and speed of use for users. Multiple studies in the related work have shown that usability trumps security for users, confirming the user’s aversion to overhead in interacting with devices, and leading to low opt-in rates. On-demand biometrics reduce the login process to just grabbing the phone and placing a finger on the home button, which participants often performed in a single motion during our evaluation, even while multitasking. On-demand biometrics thus reduce the overhead of one-time passwords, while providing the simple interaction of touchscreen buttons.

Implication 1: Extend the constraints of a web page with powerful sensors on mobile devices. Conceptually, on-demand biometrics replace the password manager in users’ browsers with users’ biometric features. Given the acceptance, speed, and convenience of use, on-demand biometrics can generalize beyond traditional logins and give users control over individual interactions on a more granular level. Since biometric approval is fast, our feature could be used to authenticate and approve web-based requests to charge a user’s credit card, change the address of an account, or delete personal records.

Implication 2: Promote authentication requests directly to the lock screen. Future implementations of on-demand biometrics should display requests on the lock screen, prompt for authentication right away, and render unlocking the phone redundant similar to a triggered alarm. Similarly, future wearable devices with integrated biometric sensors could be used to securely approve such requests across computers.

Overall, on-demand biometrics are a promising alternative to current implementations of two-step verification, addressing the challenges of convenience and speed of use that previous work has found to be responsible for low adoption rates. The themes in our analysis emerged across a diverse set of participants and thus provide a useful insight into the impression of everyday users. A quick look at the statistics of the usage of the mobile Yahoo Mail app (n > 1,000,000) shows that 61% of Yahoo’s iOS users have a Touch ID-capable device and 72% of them actively use it—a vast potential for the adoption of on-demand biometrics for conveniently accessing accounts and interacting with sensitive information.